Google’s Pixel updates had a nasty problem this month. Buried among dozens of critical updates and Android’s quarterly feature rollout was CVE-2024-32896. This high-severity firmware vulnerability Google has warned“They may be subject to limited and targeted exploitation.”
While Google has revealed few details about this zero-day (more on that below), the US government has stepped in, ordering federal employees to update their Pixel devices by the 4th of July or “discontinue use of the product,” meaning they only have 10 days to act. While this warning is aimed at government agencies, other businesses should similarly mandate full compliance from their employees. Personal users should also be cautious, especially if they connect their devices to corporate systems.
The US government warning is based on known exploitable vulnerabilities (Keb) catalog is maintained by the Cybersecurity and Infrastructure Security Agency (CISA). “Android Pixel firmware contains an unspecified vulnerability that could allow privilege escalation,” the advisory states simply.
Google did not provide details about the zero-day vulnerability, but GrapheneOS said it is the second patch for a vulnerability reported in April that is “actively being exploited in the wild by forensic firms.”
Worryingly, the company also says that this isn’t just a Pixel issue: “It was fixed for Pixel in the June update (Android 14 QPR3), and other Android devices will eventually get the fix when they update to Android 15. If you don’t update to Android 15, you may not have the fix as it hasn’t been backported.”
Given that the exploited vulnerability was listed in CISA’s KEV catalog, it is unclear what other owners of potentially at-risk Android devices that do not have immediate mitigations should do. Please stay tuned for more information on this.
GrapheneOS describes these two vulnerabilities as “memory not being wiped when booting into firmware-based fastboot mode, which can be exploited to retrieve previous OS memory.” [and] “AOSP device management APIs rely on reboot recovery for wipe prior to Android 14 QPR3,” it said, warning that “neither issue has yet been fixed outside of Pixel.”
Google’s June update came the same week as a report about the dangers of freeware on the Play Store, and just a few days after Zscaler The company warned that it had “identified and analyzed over 90 malicious applications uploaded to the Play Store…with over 5.5 million installs.”
And this week, Check Point’s cyber team warned about an Android Trojan called “Rafel” that has been detected in at least 120 malicious campaigns, which primarily targeted older, unsupported devices, but “users of current Android versions should be concerned, as this threat can infect a wide range of Android versions, from the oldest unsupported versions to the most current versions.”
Overall, this is a worrying situation for Android users. Pixel users should take CISA’s instructions seriously and update before the 4th of July holiday if they haven’t already. The download will happen automatically and will be fully installed after a reboot. For instructions on how to check if your Pixel device has the update, go to: here.